313 lines
13 KiB
Plaintext
313 lines
13 KiB
Plaintext
Wireshark 4.3.0 Release Notes
|
||
|
||
This is an experimental release intended to test new features for
|
||
Wireshark 4.4.
|
||
|
||
What is Wireshark?
|
||
|
||
Wireshark is the world’s most popular network protocol analyzer. It is
|
||
used for troubleshooting, analysis, development and education.
|
||
|
||
What’s New
|
||
|
||
Lua 5.3 and 5.4 are supported, and the Lua version included with the
|
||
Windows and MacOS installers is now 5.4.6.
|
||
|
||
Improved display filter support for value strings (optional string
|
||
representations for numeric fields).
|
||
|
||
Display filter functions can be implemented as runtime-loadable C
|
||
plugins.
|
||
|
||
Plugin registration API was refactored. Plugin authors must update
|
||
their plugins as described below.
|
||
|
||
Custom columns can be defined using any valid field expression, such
|
||
as display filter functions, slices, arithmetic calculations, logical
|
||
tests, raw byte addressing, and the layer modifier.
|
||
|
||
Custom output fields for `tshark -e` can also be defined using any
|
||
valid field expression.
|
||
|
||
Many other improvements have been made. See the “New and Updated
|
||
Features” section below for more details.
|
||
|
||
New and Updated Features
|
||
|
||
The following features are new (or have been significantly updated)
|
||
since version 4.2.0:
|
||
|
||
• Display filter syntax-related enhancements:
|
||
|
||
• Better handling of comparisons with value strings. Now the
|
||
display filter engine can correctly handle cases where multiple
|
||
different numeric values map to the same value string, including
|
||
but not limited to range-type value strings.
|
||
|
||
• Fields with value strings now support regular expression
|
||
matching.
|
||
|
||
• Date and time values now support arithmetic, with some
|
||
restrictions: the multiplier/divisor must be an integer or float
|
||
and appear on the right-hand side of the operator.
|
||
|
||
• The keyword "bitand" can be used as an alternative syntax for
|
||
the bitwise-and operator.
|
||
|
||
• Functions alone can now be used as an entire logical
|
||
expression. The result of the expression is the truthiness of the
|
||
function return value (or of all values if more than one). This
|
||
is useful for example to write "len(something)" instead of
|
||
"len(something) != 0". Even more so if a function returns itself
|
||
a boolean value, it is now possible to write
|
||
"bool_test(some.field)" instead of having to write
|
||
"bool_test(some.field) == True" (both forms are now valid).
|
||
|
||
• Display filter references can be written without curly braces.
|
||
It is now possible to write `$frame.number` instead of
|
||
`${frame.number}` for example.
|
||
|
||
• Added new display filter functions to test various IP address
|
||
properties. Check the wireshark-filter(5) manpage for more
|
||
information.
|
||
|
||
• Added new display filter functions to convert unsigned integer
|
||
types to decimal or hexadecimal, and convert fields with value
|
||
strings into the associated string for their value (used to
|
||
produce results similar to custom columns). Check the
|
||
wireshark-filter(5) manpage for more information.
|
||
|
||
• Display filter macros can be written with a semicolon after
|
||
the macro name before the argument list, e.g.
|
||
`${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`.
|
||
The version with semicolons works better with pop-up suggestions
|
||
when editing the display filter, so the version with the colon
|
||
might be removed in the future.
|
||
|
||
• Display filter macros can be written using a function-like
|
||
notation. The macro `${mymacro:arg1;…;argN}` can be written
|
||
`$mymacro(arg1,…,argN)`.
|
||
|
||
• Display filter functions can be implemented as libwireshark
|
||
plugins. Plugins are loaded during startup from the usual binary
|
||
plugin configuration directories. See the `ipaddr.c` source file
|
||
in the distribution for an example of a display filter C plugin
|
||
and the doc/plugins.example folder for generic instructions how
|
||
to build a plugin.
|
||
|
||
• Display filter autocompletions now also include display filter
|
||
functions.
|
||
|
||
• The display filter macro configuration file has changed format.
|
||
It now uses the same format as the "dfilters" file and has been
|
||
renamed accordingly to "dmacros". Internally it no longer uses
|
||
the UAT API and the display filter macro GUI dialog has been
|
||
updated. There is some basic migration logic implemented but it
|
||
is advisable to check that the "dfilter_macros" (old) and
|
||
"dmacros" (new) files in the profile directory are consistent.
|
||
|
||
• Custom columns can be defined using any valid field expression:
|
||
|
||
• Display filter functions, like `len(tcp.payload)`, including
|
||
nested functions like `min(len(tcp.payload), len(udp.payload)`
|
||
and newly defined functions using the plugin system mentioned
|
||
above. Issue 15990[1] Issue 16181[2]
|
||
|
||
• Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
|
||
tcp.dstport`. Issue 7752[3]
|
||
|
||
• Slices, like `tcp.payload[4:4]`. Issue 10154[4]
|
||
|
||
• The layer operator, like `ip.proto#1` to return the proto
|
||
field in the first IPv4 layer if there is tunneling. Issue
|
||
18588[5]
|
||
|
||
• Raw byte addressing, like `@ip`, useful to return the bytes of
|
||
a protocol or FT_NONE field, among others. Issue 19076[6]
|
||
|
||
• Logical tests, like `tcp.port == 443`, which produce a check
|
||
mark if the test matches (similar to protocol and none fields
|
||
without `@`.) This works with all logical operators, including
|
||
e.g. regular expression matching (`matches` or `~`.)
|
||
|
||
• Defined display filter macros.
|
||
|
||
• Any combination of the above also works.
|
||
|
||
• Multifield columns are still available. For backwards
|
||
compatibility, `X or Y` is interpreted as a multifield column as
|
||
before. To represent a logical test for the presence of multiple
|
||
fields instead of concatenating values, use parenthesis, like
|
||
`(tcp.options.timestamp or tcp.options.nop`.
|
||
|
||
• Field references are not implemented, because there’s no sense
|
||
of a currently selected frame. "Resolved" column values (such as
|
||
host name resolution or value string lookup) are not supported
|
||
for any of the new expressions yet.
|
||
|
||
• Custom output fields for `tshark -e <field>` can also be defined
|
||
using any valid field expression as above.
|
||
|
||
• For custom output fields, `X or Y` is the usual logical test;
|
||
to output multiple fields use multiple `-e` terms as before.
|
||
|
||
• The various `-E` options, including `-E occurrence`, all work
|
||
as expected.
|
||
|
||
• When selecting "Manage Interfaces" from "Capture Options",
|
||
Wireshark only attempts to reconnect to rpcap (remote) hosts that
|
||
were connected to in the last session, instead of every remote
|
||
host that the current profile has ever connected to. Issue
|
||
17484[7]
|
||
|
||
• Adding interfaces at startup is about twice as fast, and has many
|
||
fewer UAC pop-ups when npcap is installed with access restricted
|
||
to Administrators on Windows
|
||
|
||
• The Resolved Addresses dialog only shows what addresses and ports
|
||
are present in the file (not including information from static
|
||
files), and selected rows or the entire table can be saved or
|
||
copied to the clipboard in several formats.
|
||
|
||
• New "Tools › Install Plugin" option provides a convenient method
|
||
to install a binary plugin to the personal folder.
|
||
|
||
• The personal binary plugins folder now has higher priority than
|
||
the global folder.
|
||
|
||
• The binary plugins folder path no longer uses an X.Y version
|
||
component. Plugins are required to add the ABI version to the
|
||
file name.
|
||
|
||
• Truncated fields in the detail view are now displayed as "Field
|
||
name […]: data" instead of "Field name [truncated]: data"
|
||
|
||
• When capturing files in multiple file mode, a pattern that places
|
||
the date and time before the index number can be used (e.g.,
|
||
foo_20240714110102_00001.pcap instead of
|
||
foo_00001_20240714110102.pcap). This causes filenames to sort in
|
||
chronological order across file sets from different captures. The
|
||
File Set dialog has been updated to handle the new pattern, which
|
||
has been capable of being produced by tshark since version 3.6.0
|
||
|
||
• The "Follow Stream" dialog can now show delta times between turns
|
||
and all packets and events.
|
||
|
||
• The "Find Packet" dialog can search backwards, and find
|
||
additional occurrences of a string, hex value, or regular
|
||
expression in a single frame.
|
||
|
||
• The included Lua version has been updated to 5.4. While most Lua
|
||
dissectors should continue to work (the lua_bitop library has
|
||
been patched to work with Lua 5.3 and 5.4, in addition to the
|
||
native Lua support for bit operations present in those versions),
|
||
different versions of Lua are not guaranteed to be compatible. If
|
||
a Lua dissector has issues, check the manuals for Lua 5.4[8], Lua
|
||
5.3[9], and Lua 5.2[10] for incompatibilities and suggested
|
||
workarounds. Note that features marked as deprecated in one
|
||
version are removed in the subsequent version without additional
|
||
notice, so it can be worth checking the manual for previous
|
||
versions.
|
||
|
||
Removed Features and Support
|
||
|
||
• The tshark `-G` option with no argument is deprecated and will be
|
||
removed in a future version. Use `tshark -G fields` to produce
|
||
the same report.
|
||
|
||
Removed Dissectors
|
||
|
||
The Parlay dissector has been removed.
|
||
|
||
New Protocol Support
|
||
|
||
Allied Telesis Resiliency Link (AT RL), EGNOS Message Server (EMS)
|
||
file format, MAC NR Framed (mac-nr-framed), RF4CE Network Layer
|
||
(RF4CE), and RF4CE Profile (RF4CE Profile)
|
||
|
||
Updated Protocol Support
|
||
|
||
• IPv6: The "show address detail" preference is now enabled by
|
||
default. The address details provided have been extended to
|
||
include more special purpose address block properties
|
||
(forwardable, globally-routable, etc).
|
||
|
||
Too many other protocol updates have been made to list them all here.
|
||
|
||
EGNOS Messager Server (EMS) files
|
||
|
||
u-blox GNSS receivers
|
||
|
||
Major API Changes
|
||
|
||
• Plugin registration API was refactored. Plugin authors must do
|
||
the following: 1 - Remove the existing boilerplate (version,
|
||
want_major` and `want_minor` and plugin API declarations. 2 - Add
|
||
a struct ws_module to the plugin. 3 - Call one of the
|
||
WIRESHARK_PLUGIN_REGISTER_* macros. See README.plugins sections 5
|
||
and doc/plugins.example/hello.c for details and examples.
|
||
|
||
Getting Wireshark
|
||
|
||
Wireshark source code and installation packages are available from
|
||
https://www.wireshark.org/download.html.
|
||
|
||
Vendor-supplied Packages
|
||
|
||
Most Linux and Unix vendors supply their own Wireshark packages. You
|
||
can usually install or upgrade Wireshark using the package management
|
||
system specific to that platform. A list of third-party packages can
|
||
be found on the download page[11] on the Wireshark web site.
|
||
|
||
File Locations
|
||
|
||
Wireshark and TShark look in several different locations for
|
||
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
|
||
locations vary from platform to platform. You can use "Help › About
|
||
Wireshark › Folders" or `tshark -G folders` to find the default
|
||
locations on your system.
|
||
|
||
Getting Help
|
||
|
||
The User’s Guide, manual pages and various other documentation can be
|
||
found at https://www.wireshark.org/docs/
|
||
|
||
Community support is available on Wireshark’s Q&A site[12] and on the
|
||
wireshark-users mailing list. Subscription information and archives
|
||
for all of Wireshark’s mailing lists can be found on the web site[13].
|
||
|
||
Bugs and feature requests can be reported on the issue tracker[14].
|
||
|
||
You can learn protocol analysis and meet Wireshark’s developers at
|
||
SharkFest[15].
|
||
|
||
How You Can Help
|
||
|
||
The Wireshark Foundation helps as many people as possible understand
|
||
their networks as much as possible. You can find out more and donate
|
||
at wiresharkfoundation.org[16].
|
||
|
||
Frequently Asked Questions
|
||
|
||
A complete FAQ is available on the Wireshark web site[17].
|
||
|
||
References
|
||
|
||
1. https://gitlab.com/wireshark/wireshark/-/issues/15990
|
||
2. https://gitlab.com/wireshark/wireshark/-/issues/16181
|
||
3. https://gitlab.com/wireshark/wireshark/-/issues/7752
|
||
4. https://gitlab.com/wireshark/wireshark/-/issues/10154
|
||
5. https://gitlab.com/wireshark/wireshark/-/issues/18588
|
||
6. https://gitlab.com/wireshark/wireshark/-/issues/19076
|
||
7. https://gitlab.com/wireshark/wireshark/-/issues/17484
|
||
8. https://www.lua.org/manual/5.4/manual.html#8
|
||
9. https://www.lua.org/manual/5.3/manual.html#8
|
||
10. https://www.lua.org/manual/5.2/manual.html#8
|
||
11. https://www.wireshark.org/download.html
|
||
12. https://ask.wireshark.org/
|
||
13. https://www.wireshark.org/lists/
|
||
14. https://gitlab.com/wireshark/wireshark/-/issues
|
||
15. https://sharkfest.wireshark.org
|
||
16. https://wiresharkfoundation.org
|
||
17. https://www.wireshark.org/faq.html
|